New SMB3 features in WiresharkPOSIX extensions, decryption and wireshark-based tools
Aurélien Aptel <[email protected]>
SUSE
2
Who am I
• Aurélien Aptel
• Employed by SUSE Linux from Nuremberg, Germany• Samba team member
• Work on open source SMB-related things– cifs.ko: the Linux SMB kernel client to mount remote shares
– Samba: userspace client and server implementation for Linux
– Wireshark: this talk :)
– ...
3
Wireshark: what is it?
• Network sniffer and analyzer• Open Source (GNU GPLv2)• Available on most platforms (Windows, Mac, Linux and other unixes)• http://wireshark.org
4
Network sniffer?
• Traditional solution (unix): tcpdump– Simple command line tool for simple environment (embedded?)
tcpdump -s 0 -w trace.pcap port 445
– Captures network traffic to trace.pcap file
– No size limit for the packets
– Load trace in wireshark
• Wireshark can also capture– Same capture filters (!= display filters)
• tcpdump, WinDump, Analyzer, … programs using libpcap/WinPcap library
– But many display filters!
– Personal choice capture everything, filter later.
– Display filter: smb||smb2||dns||krb4
5
Network sniffer?
• Windows 7/2008 and above
netsh trace start persistent=yes capture=yes tracefile=c:\temp\mytrace.etl
…
netsh trace stop
• Open in netmon ( https://www.microsoft.com/en-us/download/4865 )• Save as pcap• “persistent=yes” makes it work across reboot
6
Analyzer• Sample trace
7
Analyzer• Sample trace
Filter expression
8
Analyzer• Sample trace
Packet summaries
9
Analyzer• Sample trace
Packet detail
10
Analyzer• Sample trace
Hex dump
11
Analyzer• Wireshark handles reassembling (large packet split, retransmission)• Only see the good stuff
• Each filter can do more than filtering– Dissectors
• 2 different dissectors for SMB1 and SMB2+– SMB3 shows up as SMB2
• Mostly written by Ronnie Sahlberg
12
Analyzer• Generated fields in [ brackets ]• Tracks context
13
Analyzer• Generated fields in [ brackets ]• Tracks context
• Clickable link to Request/Response• When files are opened or closed• When session is opened• …
14
Analyzer• Generated fields in [ brackets ]• Tracks context
• Clickable link to Request/Response• When files are opened or closed• When session is opened• …
• Discoverable, filterable
15
Analyzer
16
SMB3 decryption
• Wireshark can decrypt SMB3 traffic– SMB3.0 since version 2.5.0 (released february 2018)
– SMB3.1.1 in next version (not yet released :)
– AES-128-CCM only
– NTLMSSP and kerberos authentification
• Requirements– User must provide Session Key
– Trace must have initial connection steps • negotiate protocol & session setup
– If you do not want to capture the whole session• Capture session setup, Stop, Capture rest later
• Merge tracesmergecap -w output.pcap input1.pcap input2.pcap inputN.pcap
17
SMB3 decryption: Getting Session Key
• Linux:– Compile with CIFS_DEBUG_DUMP_KEYS enabled
• Keys printed in kernel log:
CIFS VFS: generate_smb3signingkey: dumping generated AES session keys
CIFS VFS: Session Id 61 00 00 28 64 1c 00 00
CIFS VFS: Session Key 7b 7c 77 53 cf 29 7b ca 69 26 ce 58 bb 1b 12 df
CIFS VFS: Signing Key 29 a3 f0 e6 72 45 01 b9 aa e3 cd 75 15 88 4a 85
CIFS VFS: ServerIn Key ec de b2 7c 49 13 78 89 d7 5b d2 6c 42 20 b3 c3
CIFS VFS: ServerOut Key 35 a4 dc 80 2c d3 4c 87 cb bd 78 82 f7 ea 66 15
• Windows: ?
18
SMB3 decryption
• Edit > Preference > Protocols > SMB2
19
SMB3 decryption
• Alternatively can be passed via CLI
wireshark -ouat:smb2_seskey_list:<ses_id>,<ses_key> smb311.pcap
E.g.:
wireshark -ouat:smb2_seskey_list:2900009c003c0000,f1fa528d3cd182cca67bd4596dabd885 smb311.pcap
20
SMB3 decryption
21
SMB3 decryption
22
SMB2 POSIX extensions
• Not merged yet (extension isn’t final yet :)• https://github.com/aaptel/wireshark/commits/smb3unix• git clone https://github.com/aaptel/wireshark.git &&git checkout smb3unix
• Negotiate protocol capability
23
SMB2 POSIX extensions
• Create context request/response
24
SMB2 POSIX extensions
• New INFO level
See https://wiki.samba.org/index.php/SMB3-Linux for more
25
Other new things
• Better parsing of Filesystem attributes• Better parsing for all level info of FIND responses• Bug fixes: opening share root (empty file name) context properly saved
26
New wireshark-based tool: smbcmp
• Wireshark has a CLI version– Tshark
• Mostly same CLI options and flags– Can get summary view or detailed view
Summary: • tshark -r <cap>
Detailed:• tshark -r <cap> -V
27
New wireshark-based tool: smbcmp
• Diff traces to debug problems• https://github.com/aaptel/smbcmp
28
DEMO
29
Wireshark development
• Git / gerrit based• https://www.wireshark.org/docs/wsdg_html_chunked/ChSrcContribute.html• Make gerrit account on https://code.wireshark.org/review• git clone <account>@code.wireshark.org:29418/wireshark• cp tools/pre-commit tools/commit-msg .git/hooks• git checkout -b frobnify• *hack, hack, hack...*
– Almost always limited to epan/dissectors/packet-smb2.c
• git commit -a -m “smb3: frobnify XYZ”• git push -f origin HEAD:refs/for/master/smb3-frob• Web/email based reviewing process• Iterate on your changes depending on the feedback and push -f again• Web UI is automatically updated
30
Wireshark development
• https://code.wireshark.org/review/q/topic:”<branch name>”
31
Thanks!
Questions?